diff -up dhcp-4.0.0/client/dhclient.c.CVE-2009-0692 dhcp-4.0.0/client/dhclient.c
--- dhcp-4.0.0/client/dhclient.c.CVE-2009-0692 2007-11-30 11:51:42.000000000 -1000
+++ dhcp-4.0.0/client/dhclient.c 2009-08-05 12:10:19.000000000 -1000
@@ -2813,8 +2813,15 @@ void script_write_params (client, prefix
if (data.len > 3) {
struct iaddr netmask, subnet, broadcast;
- memcpy (netmask.iabuf, data.data, data.len);
- netmask.len = data.len;
+ /*
+ * No matter the length of the subnet-mask option,
+ * use only the first four octets. Note that
+ * subnet-mask options longer than 4 octets are not
+ * in conformance with RFC 2132, but servers with this
+ * flaw do exist.
+ */
+ memcpy(netmask.iabuf, data.data, 4);
+ netmask.len = 4;
data_string_forget (&data, MDL);
subnet = subnet_number (lease -> address, netmask);